Well here's how it works. GoDaddy and all other host's "one-click" is installation only. It doesn't auto-update your WordPress install so yours likely contained an old security exploit and was easily hacked. This is by design, it would be bad to install a WP theme and then have your website broken because it auto-updated WP.

Even so, you never answered my original question. How'd you determine it was a sandboxing problem rather than your own WordPress installation being compromised? Seems even less so considering you didn't realize you had to update WordPress yourself.